2q-report-on-targeted-attack-campaigns.pdf
TRANSCRIPT
-
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
1/23
A TrendLabs Report
2Q Report onTargeted Attack Campaigns
-
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
2/23
Trend Micro | 2Q Report on Targeted Attack Campaigns
2
Contents
Introduction ...........................................................................................................................................4
Campaigns Observed in 2Q ................................................................................................................5
Targeted Attack Campaigns Proling ..................................................................................5
Affected Industry Sectors .......................................................................................................6
Affected Regions ......................................................................................................................6
Attachments Used In Targeted Attacks ................................................................................7
C&C Statistics ...........................................................................................................................7
Feature: EvilGrab Campaign Targets Diplomatic Agencies..........................................................8
Targets ........................................................................................................................................8
Attack Vectors ...........................................................................................................................9
Exploits, Payloads, and Decoy Documents..........................................................................9
DLL Preloading Using the Windows Shell and Fax Server...............................................9
-
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
3/23
Trend Micro | 2Q Report on Targeted Attack Campaigns
3
TREND MICRO LEGAL DISCLAIMER
The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice.
The information contained herein may not be applicable to all situations and may not reect the most current situation. Nothing contained herein should be relied on
or acted upon without the benet of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend
Micro reserves the right to modify the contents of this document at any time without prior notice.
Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise
related to the accuracy of a translation, please refer to the original language ofcial version of the document. Any discrepancies or differences created in the
translation are not binding and have no legal effect for compliance or enforcement purposes.
Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind
as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own r isk. Trend
Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shal
be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business prots, or special damages, whatsoever arising
out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information
constitutes acceptance for use in an as is condition.
Other Autorun Behaviors .....................................................................................................10
Stealth Operation....................................................................................................................10
Registry Storage ......................................................................................................................11
Media Grabbing......................................................................................................................11
User Credential Theft............................................................................................................11
Tencent QQ Memory Reading: ............................................................................................13
Key Logging............................................................................................................................13
Command & Control Servers...............................................................................................14
Backdoor Activity ...................................................................................................................15
Trend Micro Recommendations .......................................................................................................21
References ............................................................................................................................................22
-
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
4/23
Trend Micro | 2Q Report on Targeted Attack Campaigns
4
Introduction
Highly targeted attacks refer to a category of threats that pertain to intrusions by threat actors
or attackers. These attackers aggressively pursue and compromise chosen targets in order to
steal sensitive information. These are not conducted through separate attacks; rather, they
comprise of a series of attempts over time to get deeper and deeper into a targets network.Each attempt may either succeed or fail, but the overall goal is to penetrate the targets network
and acquire information. Malware is typically used as an attack vector, but the real threat
involves human operators who adapt, adjust, and improve their methods based on the victimsdefenses.
Enterprises should consider targeted attacks a high-priority threat because of the considerable
damage they incur. The human and systemic weaknesses that allow an attacker to compromise
an organization can be minimized and mitigated with correct practices and solutions. However,
these same weaknesses can never be fully resolved.
Trend Micro monitors the targeted attack landscape in order to identify ongoing campaigns and
provide additional threat intelligence useful for identifying the existence of these campaigns
in an enterprise network. This quarterly report presents the targeted attack campaigns
observed and mitigated by Trend Micro based on reported customer cases, as well as our own
independently gathered data.
-
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
5/23
Trend Micro | 2Q Report on Targeted Attack Campaigns
5
Campaigns Observed in 2Q
Targeted Attack Campaigns Profiling
We encountered a variety of targeted campaigns in the second quarter of the year.
These include the following:
IXESHE. The IXESHE campaign is known for targeting East Asian
governments, electronics manufacturers, and telecommunications rms. We
released a white paper discussing this campaign.1IXESHE has been active since
2012.
ELISE. This recently discovered campaign also targets government agencies
in the Asia Pacic region. It is called ELISE after certain strings found
in its unpacked code. (We detect the malware used by this campaign as
BKDR_ELISE.)
ZEGOST.This family of backdoors (aka HTTP Tunnel) is Chinese in origin
and was used in attacks against Asian government organizations.
BEEBUS/MUTTER.This is a targeted campaign believed to be associated
with the Comment Crew attacker group because of the use of encrypted/
obfuscated HTML comments to hide their C&C transactions.
TravNet.This campaign made use of a malware family identied as NetTraveler
based on the strings found in the malware code. The malware is detected as
BKDR_TRAVLAR.
-
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
6/23
-
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
7/23
Trend Micro | 2Q Report on Targeted Attack Campaigns
7
Attachments Used In Targeted Attacks
Based on our ndings, the most common type of email attachment type used in targeted
attacks were le archives of various forms. When uncompressed, these archives typically
contain the malicious payload itself, which the user may then run directly. Alternately,
they may also contain a .DOC le that contains exploit code. RTF les made up thesecond most common le type.
Frequently, the .EXE les we see are made to appear as ordinary documents or folders
using appropriately chosen icons. In addition, we also saw an increased use of les that
make use of right-to-left override (RTLO) in Unicode.
C&C Statistics
We were also able to monitor the activity of various C&C servers related to targetedattacks. By volume of C&C server activity, the following countries ranked as follows:
1
42
3
7
8
9
Australia
South Korea
Germany
Japan
Italy
Taiwan
India
United States
Vietnam
Netherlands
Others
1
2
3
4
5
6
7
8
9
10
32%
15%
9%
7%
6%
5%
4%
3%
2%
2%
15%
Volume percent of C&C server activity per country
File types used in targeted attacks
-
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
8/23
Trend Micro | 2Q Report on Targeted Attack Campaigns
8
Feature: EvilGrab Campaign Targets Diplomatic Agencies
In this report, we will provide a detailed analysis of the EvilGrab campaign. This campaign
was rst found targeting certain Asian and European governments. Its name is derived from
its behavior of grabbing audio, video, and screenshots from affected machines.
Currently, the malware used by EvilGrab belongs to one of three malware families:
BKDR_HGDER
BKDR_EVILOGE
BKDR_NVICM
Targets
Our research indicates that EvilGrab activity is most prevalent in China and Japan,although it is also present in other parts of the world. Government organizations were,
by far, the most affected by EvilGrab. This geolocation is based on the IP addresses of
the victims. Therefore, foreign institutions within China would be identied as coming
from China; the same would hold true for all countries. EvilGrab was also found in the
United States, Canada, France, Spain, and Australia, among others.
Map of top affected countries by targeted attacks
Sectors affected by targeted attacks
1
2
3
4
GOVERNMENT
NON-GOVERNMENT ORGANIZATIONS
MILITARY
ONLINE MEDIA
89%
7%
3%
1%
1
4
2
3
5
China
Japan
South Africa
Thailand
Canada
Others
1
2
3
4
5
36%
18%
3%
2%
2%
39%
-
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
9/23
Trend Micro | 2Q Report on Targeted Attack Campaigns
9
Attack Vectors
Research indicates that EvilGrab is primarily distributed through spear-phishing emails
with malicious attachments that exploit various vulnerabilities to run malicious code.
Among the attachment types are:
Microsoft Excel spreadsheets (CVE-2012-0158and CVE-2012-2543)
PDFs (CVE-2013-0640)
Microsoft Word documents (CVE-2012-0158)
A .RAR le with a folder named thumbs.dbwas also seen containing malicious code.
By using this name, the intention was to disguise itself as the Windows thumbnail
cache. A shortcut le (.LNK) was also seen in the .RAR le, which used a folder icon
to make users believe it was another folder. In reality, running the .LNK le executes
the malware. In addition, the .RAR le contains a desktop.inile in order to change the
thumbs.dbfolder icon into the icon of the Windows thumbnail cache.
Exploits, Payloads, and Decoy Documents
The EvilGrab campaigns use of exploits, payloads, and decoy documents is similar to
the Taidoor campaign in 2012.2The primary difference is that EvilGrab variants have
multiple layers of shellcode. In addition, some variants copy the le name and use it as
the decoy document le name. Other variants overwrite the exploit document with the
contents of the decoy document.
As noted above, some variants also use disguised folders and shortcuts and do not use
exploits to run their code.
DLL Preloading Using the Windows Shell and Fax Server
DLL preloading is a vulnerability that has been documented for over three years.3The
EvilGrab campaign makes use of this vulnerability for its AutoRun routine.
Whenever it is run, the Windows shell (explorer.exe) loads a component of the fax server
in Windows, fxsst.dll. This is normally located in the System32 folder. Whenever an
instance of explorer.exeis launched (i.e., at every system startup), the system searches for
the said .DLL le and loads it.
EvilGrab drops one of its .DLL components in the Windows folder, where explorer.
exeis also located. The malicious .DLL (also named fxsst.dll) is loaded instead of the
legitimate copy. It also serves as the loader of the main backdoor.
http://web.nvd.nist.gov/view/vuln/detail%3FvulnId%3DCVE-2012-0158http://web.nvd.nist.gov/view/vuln/detail%3FvulnId%3DCVE-2012-2543http://web.nvd.nist.gov/view/vuln/detail%3FvulnId%3DCVE-2013-0640http://web.nvd.nist.gov/view/vuln/detail%3FvulnId%3DCVE-2012-0158http://web.nvd.nist.gov/view/vuln/detail%3FvulnId%3DCVE-2012-0158http://web.nvd.nist.gov/view/vuln/detail%3FvulnId%3DCVE-2013-0640http://web.nvd.nist.gov/view/vuln/detail%3FvulnId%3DCVE-2012-2543http://web.nvd.nist.gov/view/vuln/detail%3FvulnId%3DCVE-2012-0158 -
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
10/23
Trend Micro | 2Q Report on Targeted Attack Campaigns
10
While DLL preloading has been used by other malware in the past, it is less common
to see it specically targetexplorer.exe. Other malware families that use this vulnerability
typically target executable les outside of Windows; EvilGrab targets a part of Windows
itself.
Other Autorun Behaviors
In addition to the above behavior, EvilGrab also creates the following registry entry toenable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
UKey = %Application Data%\360\Live360.exe
The le %Application Data%\360\Live360.exe is a copy of one of the malware
components. It also creates a shortcut under the Startup folder in the Start menu:
IEChecker.lnk
Target: %UserProfle%\IEChecker.exeL
Icon: %Full path of Iexplorer.exe%(This uses the Internet Explorer icon
and disguise itself as part of Internet Explorer.)
The above le is also a copy of one of the malicious components.
Stealth Operation
EvilGrab has three primary components: one .EXE le and two .DLL les. The .EXEle acts as the installer for all of the EvilGrab components. One of the .DLL les
serves as a loader for the other .DLL le, which is the main backdoor component.
Some variants of EvilGrab delete the .EXE le after installation to cover its tracks more
effectively. As noted earlier, the loader le is namedfxsst.dll. However, examination of
its header states that its actual le name is supposed to be svchost.dll.
These components are also encrypted and saved in the registry. To add stealth to its
backdoor routines, it uses a legitimate process contexts memory space to inject themain backdoor.
-
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
11/23
Trend Micro | 2Q Report on Targeted Attack Campaigns
1
By default, this backdoor injects itself into the svchost.exeor winlogon.exeprocess. It also
checks if certain processes related to certain security products are running on the
affected system. The specic processes targeted are:
avp.exe
klwtblfs.exe
starter.exe
wmifw.exe
Other variants of this malware also check if other security products are present. It is
not clear why EvilGrab specically targets these products. However, it is possible that
the attackers determined that targets for this campaign are likely running these products.
Registry Storage
EvilGrab stores its components in the following registry entries:
HKCU\Software\rar and/or HKLM\SOFTWARE\rar
data = {Encrypted copy of the main backdoor DLL}
s = {Encrypted copy of the loader DLL}
e = {Encrypted string which points to the full path of
the installer EXE}
Media Grabbing
To capture video, EvilGrab creates a capture window with the class name of ESET.It uses the Sample Grabber lter (part of the DirectShow technology in Windows) to
directly perform grabbing.4It also uses Wave APIs to capture audio.5
User Credential Theft
EvilGrab steals user credentials related to the following applications and/or protocols:
HTTP
HTTPMail
IMAP
Internet Explorer (IE)
Microsoft Outlook
-
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
12/23
Trend Micro | 2Q Report on Targeted Attack Campaigns
12
MSN
POP3
Protected Storage
SMTP
Windows Messaging
EvilGrab steals these credentials by parsing the following registry keys:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Proles
HKCU\Software\Microsoft\Windows Messaging Subsystem\Proles
HKCU\Software\Microsoft\Internet Account Manager\Accounts HKCU\Software\Microsoft\Ofce\Outlook\OMI Account Manager\Accounts
It queries the above keys for related values that correspond to the applications and
protocols listed earlier. The values are then decrypted using the system librarypstorec.dll.
It also steals login credential from IE autocomplete entries. It does this by rst parsingthe index.datles in the IE History folder. It then collects autocomplete entries fromthe following registry key:
HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
It then initiates a brute force attack on encrypted credentials using the CryptUnprotectData
API. However, it will only try to steal passwords from IEs password-protected sites
and MSN Explorer Signup if kav.exe(related to a security product) is not running in the
system.
-
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
13/23
Trend Micro | 2Q Report on Targeted Attack Campaigns
13
Tencent QQ Memory Reading
If the active window is Tencent QQ (specically, QQ2009 through QQ2012), EvilGrab
will attempt to steal information by directly reading the processs memory and checking
if the class name of the focused window is not named EDIT.
The contents of the processs memory are then saved onto the systems hard drive as
%UserProfle%\users.bin. It is then sent back to the backdoors C&C server. The le on
the hard drive is encrypted; specically, the data is XORed with the key 0x66.
Key Logging
EvilGrab also possesses keylogging capabilities. The logged keystrokes are then sent
back to the C&C and saved to %User Profle%\users.bin. The le on the hard drive is
encrypted; specically, the data is XORed with the key 0x66.
-
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
14/23
Trend Micro | 2Q Report on Targeted Attack Campaigns
14
Command & Control Servers
Each backdoor has one to three C&C servers in its code. Some of C&C servers that we
have seen from our accumulated data are as follows:
112.121.182.150
113.10.246.46
113.10.190.55
202.130.112.231
micoosofts.com
qtds1979 .3322. org
qtds1979.gicp.net
server1. micoosofts. com
sxl1979. gicp. net
webmonder. gicp. net
webposter. gicp. net
www . yahooip . net
www . yahooprotect . com
www . yahooprotect . net
yacooll . com
yahooip . net
yahooprotect . com
-
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
15/23
Trend Micro | 2Q Report on Targeted Attack Campaigns
15
Backdoor Activity
To start its connection to its C&C server, the backdoor component will rst send
5-bytes (\x01\x00\x00\x00\x33). The C&C will reply if it accepts the connection.
The backdoor then replies with a beacon message, the contents of which are as follows:
DescriptionSample value (referring to sample
packet illustrated below)
Size of internal buffer =xFFC (4092)
Hardcoded 0xA0 = xA0
Backdoor identier 1 = "RB0318"
Host IP = "111.222.123.132"
Host port = 432 (1074.)
OS version = "OSVERSION"
Hostname = "HOSTNAME"
User name = "USERNAME"
Camera device detected = "No"
Date time = "0000"
Presence of removable drive = "No"
Backdoor identier 2 = "V2010-v24"
Process ID of the process where thebackdoor is injected
= 21C (540.)
Hardcoded 0x00 = 0
-
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
16/23
Trend Micro | 2Q Report on Targeted Attack Campaigns
16
Either backdoor identier 1 or backdoor identier 2 acts as the campaign code or
marker for EvilGrab campaigns, which is recognizable by the C&C server and/or
attacker. Some of the identiers we saw in backdoor identier 1 are:
006
007
0401
072002
3k-Ja-0606
3k-jp01
4k-lyt25
88j
e-0924
LJ0626
RB0318
Some of the identiers seen in our accumulated data in backdoor identier 2 are as
follows:
V2010-v16
V2010-v24
We noted a correlation between the MZ/PE headers of variants and the strings in
backdoor identier 2. Variants with a V2010-v24 identier have a proper MZ/PE
header; variants with a V2010-v16 header have portions of their header overwritten with
JPEG strings. These variants require a loader component to load them into memory inorder to be executed.
-
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
17/23
Trend Micro | 2Q Report on Targeted Attack Campaigns
17
Below is a sample packet sent at the beginning of the connection:
EvilGrab variants possess a wide variety of possible backdoor commands. The table
below lists its possible commands:
Command code Description
x82 Enumerate drives and their drive types
x83 File listing with le's last modication date, leattribute and le size
x85 Execute downloaded le
x86 Set le pointer of specic le
x87 Close le handles
x88 Load .DLL
x89 Create directory
x8A Delete le
x8B Delete directory tree
x8C Get le time stamps of a specic le
x8EEither runs an executable, loads a DLL or open
a le
x8F Move/Rename a le
x90 Steal login credentials
Code snapshot
-
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
18/23
-
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
19/23
Trend Micro | 2Q Report on Targeted Attack Campaigns
19
Command code Description
xBD Get TCP & UDP network connections
xBE Get process listing
xBF Terminate process
xC0Get CPU info, Windows and System32 folder,
hostname, user name, clipboard contents
xC1Delete its les and registries from the system
(uninstall itself)
xE2- xE3 Related to stealing desktop screenshots
xE5 Get desktop screenshot
xE6 Get le listing
xE9 Connect to other network
xEB Set mouse event
xEC Start capture window for media grabbing
xEE Media capture related
xF0 Start audio recording
xF2 Search for certain les and steal le content
-
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
20/23
Trend Micro | 2Q Report on Targeted Attack Campaigns
20
This captured packet shows sample backdoor commands and replies:
Backdoor command xC0: Get CPU info, Windows and System32folder, hostname, user name and clipboard content
Backdoor command x82: Get drive listings and types
These capabilities can be used for both lateral movement within a compromised
organization and to steal information. EvilGrab steals internal user names and passwords
as well as logs keystrokes. Credentials stolen this way can be used to move within theconnes of the organizations network.
EvilGrab possesses a wide variety of information theft capabilities. It can grab audio
and video les directly from devices attached on the system (i.e. microphone and
camera). In addition, EvilGrab can upload les from the affected system to remote
servers. EvilGrab possesses a full range of capabilities that is expected in malware used
in targeted attacks against organizations.
-
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
21/23
Trend Micro | 2Q Report on Targeted Attack Campaigns
2
Trend Micro Recommendations
Targeted attacks pose a challenge to traditional signature-based security solutions. To deal with
these type of threats, employ solutions that include network monitoring to detect and analyze
incoming threats, as well as any outgoing communication with attacking parties.
Products like Trend Micro Deep Discovery are capable of mitigating the risks from these
threats. One component of Deep Discovery, the Deep Discovery Inspector, provides network
threat detection, custom sandboxing, and real-time analysis and reporting.
The second component, Deep Discovery Advisor, provides sandbox analysis of known and
unknown threats that augments the capabilities of existing products like endpoint solution and
email/web gateways. It also provides visibility to network-wide security events.
The capabilities provided by solutions like Deep Discovery are necessary to provide a unied,
comprehensive view of the threats an organization faces. This information can then be usedby an organization to create appropriate and proportional responses to properly protect an
organizations network.
-
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
22/23
Trend Micro | 2Q Report on Targeted Attack Campaigns
22
References
1 Sancho, David; Dela Torre, Jessa; Bakuei, Matsukawa; Villeneuve, Nart; and McArdle, Robert. (2013). TrendMicro Incorporated Research Paper. IXESHE: An APT Campaign. Last accesed August 30, 2013. http://www.trendmicro.
com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf
2 Trend Micro Incorporated. (2013). Trend Micro Incorporated Research Paper The Taidoor Campaign: An In-DepthAnalysis. Last accessed August 30, 2013. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/
white-papers/wp_the_taidoor_campaign.pdf
3 Security TechCenter. (November 13, 2012).Microsoft Security Advisory. Microsoft Security Advisory (2269637):
Insecure Library Loading Could Allow Remote Code Execution Last accessed August 30, 2013. http://technet.microsoft.com/en-us/security/advisory/2269637
4 Microsoft. (2013). Windows Dev Center - Desktop.Using the Sample Grabber. Last accessed August 30, 2013.
http://msdn.microsoft.com/en-us/library/windows/desktop/dd407288(v=vs.85).aspx
5 Microsoft. (2013). Developer Network. Recording and Playing Sound with the Waveform Audio Interface. Last
accessed August 30, 2013. http://msdn.microsoft.com/en-us/library/aa446573.aspx#waveinout_topic_006
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdfhttp://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdfhttp://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdfhttp://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdfhttp://technet.microsoft.com/en-us/security/advisory/2269637http://technet.microsoft.com/en-us/security/advisory/2269637http://msdn.microsoft.com/en-us/library/windows/desktop/dd407288%28v%3Dvs.85%29.aspxhttp://msdn.microsoft.com/en-us/library/aa446573.aspx%23waveinout_topic_006http://msdn.microsoft.com/en-us/library/aa446573.aspx%23waveinout_topic_006http://msdn.microsoft.com/en-us/library/windows/desktop/dd407288%28v%3Dvs.85%29.aspxhttp://technet.microsoft.com/en-us/security/advisory/2269637http://technet.microsoft.com/en-us/security/advisory/2269637http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdfhttp://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdfhttp://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdfhttp://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf -
8/12/2019 2q-report-on-targeted-attack-campaigns.pdf
23/23
Trend Micro Incorporated, a global leader in security software, strives to make the
world safe for exchanging digital information. Our innovative solutions for consumers,
businesses and governments provide layered content security to protect informationon mobile devices, endpoints, gateways, servers and the cloud. All of our solutions are
powered by cloud-based global threat intelligence, the Trend Micro Smart Protection
Network, and are supported by over 1,200 threat experts around the globe. For more
information, visit www.trendmicro.com.
2013 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend
Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated.
All other product or company names may be trademarks or registered trademarks oftheir owners.
10101 N. De Anza Blvd.
Cupertino, CA 95014
U.S. toll free: 1 +800.228.5651
Phone: 1 +408.257.1500
Fax: 1 +408.257.2003
http://www.trendmicro.com/us/index.htmlhttp://www.trendmicro.com/us/index.html